Legal claims defining the scope of protection, as filed with the USPTO.
1. A method, comprising: monitoring behaviors of a computing device to collect behavior information; generating a behavior vector information structure based on the collected behavior information; applying the behavior vector information structure to a classifier model to generate analysis results; using the analysis results to classify a behavior of the computing device; using the analysis results to determine features evaluated by the classifier model that contributed most to a classification of the behavior; selecting the features that contributed most to the classification of the behavior; and displaying the selected features on an electronic display of the computing device.
2. The method of claim 1 , wherein using the analysis results to classify the behavior of the computing device comprises using the analysis results to classify the behavior as an anomaly.
3. The method of claim 1 , wherein: using the analysis results to classify the behavior of the computing device comprises using the analysis results to classify the behavior as non-benign; using the analysis results to determine the features evaluated by the classifier model that contributed most to the classification of the behavior comprises using the analysis results to determine the features evaluated by the classifier model that contributed most to the classification of the behavior as non-benign; and selecting the features that contributed most to the classification of the behavior comprises selecting the features that contributed most to the classification of the behavior as non-benign.
4. The method of claim 1 , wherein generating the behavior vector information structure based on the collected behavior information comprises generating a behavior vector that characterizes an activity of a software application.
5. The method of claim 1 , further comprising: determining a relative importance of the features that contributed most to the classification of the behavior.
6. The method of claim 1 , further comprising: balancing tradeoffs between amounts of computing device processing, memory, and energy resources used to identify, analyze or respond to the behavior based on the features that contributed most to the classification of the behavior.
7. The method of claim 1 , wherein applying the behavior vector information structure to the classifier model to generate the analysis results comprises: selecting a family of robust classifier models; and applying a plurality of behavior vectors to the selected family of robust classifier models to generate the analysis results.
8. The method of claim 1 , further comprising: receiving a full classifier model that includes a finite state machine, the finite state machine including information that is suitable for expression as a plurality of boosted decision stumps, each boosted decision stump including a test condition, a first weight value, and a second weight value; generating a list of boosted decision stumps by converting the finite state machine included in the full classifier model into the plurality of boosted decision stumps; and generating a lean classifier model in the computing device based on boosted decision stumps included in the list of boosted decision stumps, wherein applying the behavior vector information structure to the classifier model to generate the analysis results comprises applying the behavior vector information structure to the generated lean classifier model.
9. The method of claim 8 , wherein applying the behavior vector information structure to the generated lean classifier model comprises: applying the collected behavior information included in the behavior vector information structure to each of the boosted decision stumps in the generated lean classifier model; using first weight values of the boosted decision stumps to compute a first weighted average of results of applying the collected behavior information to each of the boosted decision stumps in the generated lean classifier model; and comparing the first weighted average to a threshold value to determine whether the behavior is benign.
10. The method of claim 9 , wherein selecting the features that contributed most to the classification of the behavior comprises using second weight values of the boosted decision stumps to determine the features that contributed most to the classification of the behavior as benign.
11. A computing device, comprising: a processor configured with processor-executable instructions to: monitor device behaviors to collect behavior information; generate a behavior vector information structure based on the collected behavior information; apply the behavior vector information structure to a classifier model to generate analysis results; use the analysis results to classify a behavior of the computing device; use the analysis results to determine features evaluated by the classifier model that contributed most to a classification of the behavior; select the features that contributed most to the classification of the behavior; and display the selected features on an electronic display of the computing device.
12. The computing device of claim 11 , wherein the processor is further configured with processor-executable instructions to use the analysis results to classify the behavior of the computing device by using the analysis results to classify the behavior as an anomaly.
13. The computing device of claim 11 , wherein the processor is further configured with processor-executable instructions to: use the analysis results to classify the behavior of the computing device by using the analysis results to classify the behavior as non-benign; use the analysis results to determine the features evaluated by the classifier model that contributed most to the classification of the behavior by using the analysis results to determine the features evaluated by the classifier model that contributed most to the classification of the behavior as non-benign; and select the features that contributed most to the classification of the behavior by selecting the features that contributed most to the classification of the behavior as non-benign.
14. The computing device of claim 11 , wherein the processor is further configured with processor-executable instructions to: determine a relative importance of the features that contributed most to the classification of the behavior.
15. The computing device of claim 11 , wherein the processor is further configured with processor-executable instructions to: balance tradeoffs between amounts of computing device processing, memory, and energy resources used to identify, analyze or respond to the behavior based on the features that contributed most to the classification of the behavior.
16. The computing device of claim 11 , wherein: the processor is further configured with processor-executable instructions to: receive a full classifier model that includes a finite state machine, the finite state machine including information that is suitable for expression as a plurality of boosted decision stumps, each boosted decision stump including a test condition, a first weight value, and a second weight value; generate a list of boosted decision stumps by converting the finite state machine included in the full classifier model into the plurality of boosted decision stumps; and generate a lean classifier model in the computing device based on boosted decision stumps included in the list of boosted decision stumps, and the processor is further configured with processor-executable instructions to apply the behavior vector information structure to the classifier model to generate the analysis results by: applying the collected behavior information included in the behavior vector information structure to each of the boosted decision stumps in the generated lean classifier model; using first weight values of the boosted decision stumps to compute a first weighted average of results of applying the collected behavior information to each of the boosted decision stumps in the generated lean classifier model; and comparing the first weighted average to a threshold value to determine whether the behavior is benign.
17. The computing device of claim 16 , wherein the processor is further configured with processor-executable instructions to select the features that contributed most to the classification of the behavior by using second weight values of the boosted decision stumps to determine the features that contributed most to the classification of the behavior as benign.
18. A non-transitory computer readable storage medium having stored thereon processor-executable software instructions configured to cause a processor of a computing device to perform operations comprising: monitoring device behaviors to collect behavior information; generating a behavior vector information structure based on the collected behavior information; applying the behavior vector information structure to a classifier model to generate analysis results; using the analysis results to classify a behavior of the computing device; using the analysis results to determine features evaluated by the classifier model that contributed most to a classification of the behavior; selecting the features that contributed most to the classification of the behavior; and displaying the selected features on an electronic display of the computing device.
19. The non-transitory computer readable storage medium of claim 18 , wherein the stored processor-executable software instructions are configured to cause a processor to perform operations such that using the analysis results to classify the behavior of the computing device comprises using the analysis results to classify the behavior as an anomaly.
20. The non-transitory computer readable storage medium of claim 18 , wherein the stored processor-executable software instructions are configured to cause a processor to perform operations such that: using the analysis results to classify the behavior of the computing device comprises using the analysis results to classify the behavior as non-benign; using the analysis results to determine the features evaluated by the classifier model that contributed most to the classification of the behavior comprises using the analysis results to determine the features evaluated by the classifier model that contributed most to the classification of the behavior as non-benign; and selecting the features that contributed most to the classification of the behavior comprises selecting the features that contributed most to the classification of the behavior as non-benign.
21. The non-transitory computer readable storage medium of claim 18 , wherein the stored processor-executable software instructions are configured to cause a processor to perform operations further comprising: determining a relative importance of the features that contributed most to the classification of the behavior.
22. The non-transitory computer readable storage medium of claim 18 , wherein the stored processor-executable software instructions are configured to cause a processor to perform operations further comprising: balancing tradeoffs between amounts of computing device processing, memory, and energy resources used to identify, analyze or respond to the behavior based on the features that contributed most to the classification of the behavior.
23. The non-transitory computer readable storage medium of claim 18 , wherein: the stored processor-executable software instructions are configured to cause a processor to perform operations further comprising: receiving a full classifier model that includes a finite state machine, the finite state machine including information that is suitable for expression as a plurality of boosted decision stumps, each boosted decision stump including a test condition, a first weight value, and a second weight value; generating a list of boosted decision stumps by converting the finite state machine included in the full classifier model into the plurality of boosted decision stumps; and generating a lean classifier model in the computing device based on boosted decision stumps included in the list of boosted decision stumps, and the stored processor-executable software instructions are configured to cause a processor to perform operations such that applying the behavior vector information structure to the classifier model to generate the analysis results comprises: applying the collected behavior information included in the behavior vector information structure to each of the boosted decision stumps in the generated lean classifier model; using first weight values of the boosted decision stumps to compute a first weighted average of results of applying the collected behavior information to each of the boosted decision stumps in the generated lean classifier model; and comparing the first weighted average to a threshold value to determine whether the behavior is benign.
24. The non-transitory computer readable storage medium of claim 23 , wherein the stored processor-executable software instructions are configured to cause a processor to perform operations such that selecting the features that contributed most to the classification of the behavior comprises using second weight values of the boosted decision stumps to determine the features that contributed most to the classification of the behavior as benign.
25. A computing device, comprising: means for monitoring device behaviors to collect behavior information; means for generating a behavior vector information structure based on the collected behavior information; means for applying the behavior vector information structure to a classifier model to generate analysis results; means for using the analysis results to classify a behavior of the computing device; means for using the analysis results to determine features evaluated by the classifier model that contributed most to a classification of the behavior; means for selecting the features that contributed most to the classification of the behavior; and means for displaying the selected features.
26. The computing device of claim 25 , wherein means for using the analysis results to classify the behavior of the computing device comprises means for using the analysis results to classify the behavior as an anomaly.
27. The computing device of claim 25 , wherein: means for using the analysis results to classify the behavior of the computing device comprises means for using the analysis results to classify the behavior as non-benign; means for using the analysis results to determine the features evaluated by the classifier model that contributed most to the classification of the behavior comprises means for using the analysis results to determine the features evaluated by the classifier model that contributed most to the classification of the behavior as non-benign; and means for selecting the features that contributed most to the classification of the behavior comprises means for selecting the features that contributed most to the classification of the behavior as non-benign.
28. The computing device of claim 25 , further comprising: means for determining a relative importance of the features that contributed most to the classification of the behavior.
29. The computing device of claim 25 , further comprising: means for receiving a full classifier model that includes a finite state machine, the finite state machine including information that is suitable for expression as a plurality of boosted decision stumps, each boosted decision stump including a test condition, a first weight value, and a second weight value; means for generating a list of boosted decision stumps by converting the finite state machine included in the full classifier model into the plurality of boosted decision stumps; and means for generating a lean classifier model in the computing device based on boosted decision stumps included in the list of boosted decision stumps, wherein means for applying the behavior vector information structure to the classifier model to generate the analysis results comprises: means for applying the collected behavior information included in the behavior vector information structure to each of the boosted decision stumps in the generated lean classifier model; means for using first weight values of the boosted decision stumps to compute a first weighted average of results of applying the collected behavior information to each of the boosted decision stumps in the generated lean classifier model; and means for comparing the first weighted average to a threshold value to determine whether the behavior is benign.
30. The computing device of claim 29 , wherein means for selecting the features that contributed most to the classification of the behavior comprises means for using second weight values of the boosted decision stumps to determine the features that contributed most to the classification of the behavior as benign.
Unknown
February 21, 2017
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.